The OpenVPN client seems to ignore the "--auth-retry interact" option provided for connecting to VPNs with one-time-password/multi-factor-auth (OTP/MFA aka 2FA). Instead of respecting the challenge-response from the server and prompting for a OTP, the OpenVPN client reverts to asking for the Username/Password again.
In my case, this is happening with DUO 2FA, not Google Authenticator. It doesn't matter what MFA provider we're talking about, the problem seems to be the OpenVPN client ignoring the Challenge-Response from the VPN server.
I think either: OPKG needs to be re-compiled for OPKG to support "--auth-retry interact" Challenge-Response with a compile-flag; or a separate OpenVPN Plugin needs to be built for OPKG.
I'd test these assertions myself but I'm at the bottom of the OpenWRT cross-compile ecosystem so it would save alot of time for somebody who already builds OpenVPN for OPKG to chime in on this.